I am about to delve deeper this issue tonight or tomorrow. I am no expert when it comes to security assessment. Today it was a quiet day at the office and I tried few tools to test my server. That's all.

Ah, I see then. You see, WordPress itself is vulnerable to path disclosure vulnerabilities and then only thing you can do is not to show errors on the screen, e.g. by addinig

display_errors = Off

to your php.ini.

To test if the plugin itself is vulnerable, you should try opening any PHP file in the plugin directory.

For example, if you open example.com/wp-content/plugins/nginx-compatibility/nginx-compatibility.php and it says something like "Fatal error: blah-blah-blah in /path/to/your/wordpress" then nginx-compatibility is vulnerable to this attack.

I am not really happy about them, but on the good side: it found "only" 4 issues. (1 issue is already one too many issues for my taste, but hey... considering I am not expert... ;))

Anyway I am going off-topic.

Thanks for your kind support.

ps: beside that I would like to test malicious file upload/download/execution but I don't know how to do that for now. Trying the suits for starter and understanding of how it works. I'll see what I can learn and get safer.

Now that I understood this...... I can say that it was a fake and that I doubt the goodness of websecurify chrome plugin. Here the two disclosure errors:

Path Disclosure
Various system paths were disclosed within the application client source code or other files. This information could be used by attackers to make an educated guess about the application environment and any inherited weaknesses that may come with it.

solution: It is recommended to re-examine the system path disclosures and remove their reference from the application's source code.

Various usernames were disclosed within the application client source code or other files. This information could be used by attackers to attack the login mechanism on the application and supporting infrastructure.

solution: It is recommended to re-examine the username disclosures and remove their reference from the application's source code.